<!doctype html><html lang=zh-cn dir=ltr>
<head><meta charset=utf-8>
<meta name=viewport content="width=device-width,initial-scale=1"><meta name=description content="DVWA SQL Injection 过关秘籍.
LOW if( isset( $_REQUEST[ &amp;#39;Submit&amp;#39; ] ) ) {  // Get input  $id = $_REQUEST[ &amp;#39;id&amp;#39; ];   // Check database  $query = &amp;#34;SELECT first_name, last_name FROM users WHERE user_id = &amp;#39;$id&amp;#39;;&amp;#34;;  // 并没有做什么注入防护  // 尝试构造：  // select first_name, last_name from from users where user_id = &amp;#39;1&amp;#39; and 1=1;  // select first_name, last_name from from users where user_id = &amp;#39;1&amp;#39; and 1=2;  // select first_name, last_name from from users where user_id = &amp;#39;1&amp;#39; or 1=1;   $result = mysql_query( $query ) or die( &amp;#39;&amp;lt;pre&amp;gt;&amp;#39; ."><title>SQL Injection</title><link rel=canonical href=https://sdttttt.github.io/blog/sql_injection/>
<link rel=stylesheet href=/scss/style.min.b80bf249ce4a22cf55e8d7340a0b37a2f2c10f54f3a9a49cb94b694a2eb0bbea.css><meta property="og:title" content="SQL Injection">
<meta property="og:description" content="DVWA SQL Injection 过关秘籍.
LOW if( isset( $_REQUEST[ &amp;#39;Submit&amp;#39; ] ) ) {  // Get input  $id = $_REQUEST[ &amp;#39;id&amp;#39; ];   // Check database  $query = &amp;#34;SELECT first_name, last_name FROM users WHERE user_id = &amp;#39;$id&amp;#39;;&amp;#34;;  // 并没有做什么注入防护  // 尝试构造：  // select first_name, last_name from from users where user_id = &amp;#39;1&amp;#39; and 1=1;  // select first_name, last_name from from users where user_id = &amp;#39;1&amp;#39; and 1=2;  // select first_name, last_name from from users where user_id = &amp;#39;1&amp;#39; or 1=1;   $result = mysql_query( $query ) or die( &amp;#39;&amp;lt;pre&amp;gt;&amp;#39; .">
<meta property="og:url" content="https://sdttttt.github.io/blog/sql_injection/">
<meta property="og:site_name" content="SDTTTTT">
<meta property="og:type" content="article"><meta property="article:section" content="Blog"><meta property="article:tag" content="penetration test"><meta property="article:published_time" content="2020-04-10T10:54:47+08:00"><meta property="article:modified_time" content="2020-09-24T18:06:32+08:00">
<meta name=twitter:title content="SQL Injection">
<meta name=twitter:description content="DVWA SQL Injection 过关秘籍.
LOW if( isset( $_REQUEST[ &amp;#39;Submit&amp;#39; ] ) ) {  // Get input  $id = $_REQUEST[ &amp;#39;id&amp;#39; ];   // Check database  $query = &amp;#34;SELECT first_name, last_name FROM users WHERE user_id = &amp;#39;$id&amp;#39;;&amp;#34;;  // 并没有做什么注入防护  // 尝试构造：  // select first_name, last_name from from users where user_id = &amp;#39;1&amp;#39; and 1=1;  // select first_name, last_name from from users where user_id = &amp;#39;1&amp;#39; and 1=2;  // select first_name, last_name from from users where user_id = &amp;#39;1&amp;#39; or 1=1;   $result = mysql_query( $query ) or die( &amp;#39;&amp;lt;pre&amp;gt;&amp;#39; .">
</head><body class=article-page>
<script>(function(){const e="StackColorScheme";localStorage.getItem(e)||localStorage.setItem(e,"auto")})()</script><script>(function(){const t="StackColorScheme",e=localStorage.getItem(t),n=window.matchMedia("(prefers-color-scheme: dark)").matches===!0;e=="dark"||e==="auto"&&n?document.documentElement.dataset.scheme="dark":document.documentElement.dataset.scheme="light"})()</script>
<div class="container main-container flex on-phone--column compact"><aside class="sidebar left-sidebar sticky">
<button class="hamburger hamburger--spin" type=button id=toggle-menu aria-label="Toggle Menu">
<span class=hamburger-box>
<span class=hamburger-inner></span>
</span>
</button>
<header>
<figure class=site-avatar>
<a href=/>
<img src=/img/avatar_hu8e30117ca872857dd9f41f234a693048_441529_300x0_resize_box_3.png width=300 height=300 class=site-logo loading=lazy alt=Avatar>
</a>
</figure><div class=site-meta>
<h1 class=site-name><a href=/>SDTTTTT</a></h1><h2 class=site-description>臭鱼烂虾</h2></div></header><ol class=menu id=main-menu>
<div class=menu-bottom-section>
<li id=dark-mode-toggle><svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-toggle-left" width="24" height="24" viewBox="0 0 24 24" stroke-width="2" stroke="currentcolor" fill="none" stroke-linecap="round" stroke-linejoin="round"><path stroke="none" d="M0 0h24v24H0z"/><circle cx="8" cy="12" r="2"/><rect x="2" y="6" width="20" height="12" rx="6"/></svg><svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-toggle-right" width="24" height="24" viewBox="0 0 24 24" stroke-width="2" stroke="currentcolor" fill="none" stroke-linecap="round" stroke-linejoin="round"><path stroke="none" d="M0 0h24v24H0z"/><circle cx="16" cy="12" r="2"/><rect x="2" y="6" width="20" height="12" rx="6"/></svg>
<span>Dark Mode</span>
</li></div></ol></aside><main class="main full-width">
<article class=main-article>
<header class=article-header>
<div class=article-details>
<div class=article-title-wrapper>
<h2 class=article-title>
<a href=/blog/sql_injection/>SQL Injection</a>
</h2></div><footer class=article-time>
<div><svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-calendar-time" width="56" height="56" viewBox="0 0 24 24" stroke-width="2" stroke="currentcolor" fill="none" stroke-linecap="round" stroke-linejoin="round"><path stroke="none" d="M0 0h24v24H0z"/><path d="M11.795 21H5a2 2 0 01-2-2V7a2 2 0 012-2h12a2 2 0 012 2v4"/><circle cx="18" cy="18" r="4"/><path d="M15 3v4"/><path d="M7 3v4"/><path d="M3 11h16"/><path d="M18 16.496V18l1 1"/></svg>
<time class=article-time--published>Apr 10, 2020</time>
</div><div><svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-clock" width="24" height="24" viewBox="0 0 24 24" stroke-width="2" stroke="currentcolor" fill="none" stroke-linecap="round" stroke-linejoin="round"><path stroke="none" d="M0 0h24v24H0z"/><circle cx="12" cy="12" r="9"/><polyline points="12 7 12 12 15 15"/></svg>
<time class=article-time--reading>
3 minute read
</time>
</div></footer></div></header><section class=article-content>
<p>DVWA SQL Injection 过关秘籍.</p><h3 id=low>LOW</h3><div class=highlight><pre tabindex=0 style=color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-PHP data-lang=PHP><span style=display:flex><span><span style=color:#66d9ef>if</span>( <span style=color:#a6e22e>isset</span>( $_REQUEST[ <span style=color:#e6db74>&#39;Submit&#39;</span> ] ) ) {
</span></span><span style=display:flex><span>    <span style=color:#75715e>// Get input
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    $id <span style=color:#f92672>=</span> $_REQUEST[ <span style=color:#e6db74>&#39;id&#39;</span> ];
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>    <span style=color:#75715e>// Check database
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    $query  <span style=color:#f92672>=</span> <span style=color:#e6db74>&#34;SELECT first_name, last_name FROM users WHERE user_id = &#39;</span><span style=color:#e6db74>$id</span><span style=color:#e6db74>&#39;;&#34;</span>;
</span></span><span style=display:flex><span>    <span style=color:#75715e>// 并没有做什么注入防护
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    <span style=color:#75715e>// 尝试构造：
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    <span style=color:#75715e>// select first_name, last_name from from users where user_id = &#39;1&#39; and 1=1;
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    <span style=color:#75715e>// select first_name, last_name from from users where user_id = &#39;1&#39; and 1=2;
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    <span style=color:#75715e>// select first_name, last_name from from users where user_id = &#39;1&#39; or 1=1;
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>
</span></span><span style=display:flex><span>    $result <span style=color:#f92672>=</span> <span style=color:#a6e22e>mysql_query</span>( $query ) <span style=color:#66d9ef>or</span> <span style=color:#66d9ef>die</span>( <span style=color:#e6db74>&#39;&lt;pre&gt;&#39;</span> <span style=color:#f92672>.</span> <span style=color:#a6e22e>mysql_error</span>() <span style=color:#f92672>.</span> <span style=color:#e6db74>&#39;&lt;/pre&gt;&#39;</span> );
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>    <span style=color:#75715e>// Get results
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    $num <span style=color:#f92672>=</span> <span style=color:#a6e22e>mysql_numrows</span>( $result );
</span></span><span style=display:flex><span>    $i   <span style=color:#f92672>=</span> <span style=color:#ae81ff>0</span>;
</span></span><span style=display:flex><span>    <span style=color:#66d9ef>while</span>( $i <span style=color:#f92672>&lt;</span> $num ) {
</span></span><span style=display:flex><span>        <span style=color:#75715e>// Get values
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>        $first <span style=color:#f92672>=</span> <span style=color:#a6e22e>mysql_result</span>( $result, $i, <span style=color:#e6db74>&#34;first_name&#34;</span> );
</span></span><span style=display:flex><span>        $last  <span style=color:#f92672>=</span> <span style=color:#a6e22e>mysql_result</span>( $result, $i, <span style=color:#e6db74>&#34;last_name&#34;</span> );
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>        <span style=color:#75715e>// Feedback for end user
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>        <span style=color:#66d9ef>echo</span> <span style=color:#e6db74>&#34;&lt;pre&gt;ID: </span><span style=color:#e6db74>{</span>$id<span style=color:#e6db74>}</span><span style=color:#e6db74>&lt;br /&gt;First name: </span><span style=color:#e6db74>{</span>$first<span style=color:#e6db74>}</span><span style=color:#e6db74>&lt;br /&gt;Surname: </span><span style=color:#e6db74>{</span>$last<span style=color:#e6db74>}</span><span style=color:#e6db74>&lt;/pre&gt;&#34;</span>;
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>        <span style=color:#75715e>// Increase loop count
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>        $i<span style=color:#f92672>++</span>;
</span></span><span style=display:flex><span>    }
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>    <span style=color:#a6e22e>mysql_close</span>();
</span></span><span style=display:flex><span>}
</span></span></code></pre></div><h3 id=medium>Medium</h3><div class=highlight><pre tabindex=0 style=color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-php data-lang=php><span style=display:flex><span><span style=color:#66d9ef>if</span>( <span style=color:#a6e22e>isset</span>( $_POST[ <span style=color:#e6db74>&#39;Submit&#39;</span> ] ) ) {
</span></span><span style=display:flex><span>    <span style=color:#75715e>// Get input
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>
</span></span><span style=display:flex><span>    <span style=color:#75715e>// 换成了Post 这也太普通了
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    <span style=color:#75715e>// 使用一些网络请求工具照样改，比如BurpSuite，PostMan，curl.
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    $id <span style=color:#f92672>=</span> $_POST[ <span style=color:#e6db74>&#39;id&#39;</span> ];
</span></span><span style=display:flex><span>    $id <span style=color:#f92672>=</span> <span style=color:#a6e22e>mysql_real_escape_string</span>( $id );
</span></span><span style=display:flex><span>    <span style=color:#75715e>// mysql_real_escape_string 可以对以下字符进行转义
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    <span style=color:#75715e>// \x00, \n, \r, \, &#39;, &#34; 和 \x1a.
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    <span style=color:#75715e>// 值得注意的是 mysql_real_escape_string 函数所在的MYSQL扩展在
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    <span style=color:#75715e>// PHP 5.5.0 起已废弃，并在自 PHP 7.0.0 开始被移除。
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>
</span></span><span style=display:flex><span>    <span style=color:#75715e>// Check database
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    $query  <span style=color:#f92672>=</span> <span style=color:#e6db74>&#34;SELECT first_name, last_name FROM users WHERE user_id = </span><span style=color:#e6db74>$id</span><span style=color:#e6db74>;&#34;</span>;
</span></span><span style=display:flex><span>    <span style=color:#75715e>// 尝试构造:
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    <span style=color:#75715e>// SELECT first_name, last_name FROM users WHERE user_id = 1 or 1=1;
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>
</span></span><span style=display:flex><span>    $result <span style=color:#f92672>=</span> <span style=color:#a6e22e>mysql_query</span>( $query ) <span style=color:#66d9ef>or</span> <span style=color:#66d9ef>die</span>( <span style=color:#e6db74>&#39;&lt;pre&gt;&#39;</span> <span style=color:#f92672>.</span> <span style=color:#a6e22e>mysql_error</span>() <span style=color:#f92672>.</span> <span style=color:#e6db74>&#39;&lt;/pre&gt;&#39;</span> );
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>    <span style=color:#75715e>// Get results
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    $num <span style=color:#f92672>=</span> <span style=color:#a6e22e>mysql_numrows</span>( $result );
</span></span><span style=display:flex><span>    $i   <span style=color:#f92672>=</span> <span style=color:#ae81ff>0</span>;
</span></span><span style=display:flex><span>    <span style=color:#66d9ef>while</span>( $i <span style=color:#f92672>&lt;</span> $num ) {
</span></span><span style=display:flex><span>        <span style=color:#75715e>// Display values
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>        $first <span style=color:#f92672>=</span> <span style=color:#a6e22e>mysql_result</span>( $result, $i, <span style=color:#e6db74>&#34;first_name&#34;</span> );
</span></span><span style=display:flex><span>        $last  <span style=color:#f92672>=</span> <span style=color:#a6e22e>mysql_result</span>( $result, $i, <span style=color:#e6db74>&#34;last_name&#34;</span> );
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>        <span style=color:#75715e>// Feedback for end user
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>        <span style=color:#66d9ef>echo</span> <span style=color:#e6db74>&#34;&lt;pre&gt;ID: </span><span style=color:#e6db74>{</span>$id<span style=color:#e6db74>}</span><span style=color:#e6db74>&lt;br /&gt;First name: </span><span style=color:#e6db74>{</span>$first<span style=color:#e6db74>}</span><span style=color:#e6db74>&lt;br /&gt;Surname: </span><span style=color:#e6db74>{</span>$last<span style=color:#e6db74>}</span><span style=color:#e6db74>&lt;/pre&gt;&#34;</span>;
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>        <span style=color:#75715e>// Increase loop count
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>        $i<span style=color:#f92672>++</span>;
</span></span><span style=display:flex><span>    }
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>    <span style=color:#75715e>//mysql_close();
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>}
</span></span></code></pre></div><h3 id=high>High</h3><div class=highlight><pre tabindex=0 style=color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-PHP data-lang=PHP><span style=display:flex><span><span style=color:#66d9ef>if</span>( <span style=color:#a6e22e>isset</span>( $_SESSION [ <span style=color:#e6db74>&#39;id&#39;</span> ] ) ) {
</span></span><span style=display:flex><span>    <span style=color:#75715e>// Get input
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    $id <span style=color:#f92672>=</span> $_SESSION[ <span style=color:#e6db74>&#39;id&#39;</span> ];
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>    <span style=color:#75715e>// Check database
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    <span style=color:#75715e>// 看起来做了返回条目限制
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    $query  <span style=color:#f92672>=</span> <span style=color:#e6db74>&#34;SELECT first_name, last_name FROM users WHERE user_id = &#39;</span><span style=color:#e6db74>$id</span><span style=color:#e6db74>&#39; LIMIT 1;&#34;</span>;
</span></span><span style=display:flex><span>    <span style=color:#75715e>// 没什么套路
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    <span style=color:#75715e>// SELECT first_name, last_name FROM users WHERE user_id = &#39;1&#39; or 1=1 # &#39; LIMIT 1;
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>
</span></span><span style=display:flex><span>    $result <span style=color:#f92672>=</span> <span style=color:#a6e22e>mysql_query</span>( $query ) <span style=color:#66d9ef>or</span> <span style=color:#66d9ef>die</span>( <span style=color:#e6db74>&#39;&lt;pre&gt;Something went wrong.&lt;/pre&gt;&#39;</span> );
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>    <span style=color:#75715e>// Get results
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    $num <span style=color:#f92672>=</span> <span style=color:#a6e22e>mysql_numrows</span>( $result );
</span></span><span style=display:flex><span>    $i   <span style=color:#f92672>=</span> <span style=color:#ae81ff>0</span>;
</span></span><span style=display:flex><span>    <span style=color:#66d9ef>while</span>( $i <span style=color:#f92672>&lt;</span> $num ) {
</span></span><span style=display:flex><span>        <span style=color:#75715e>// Get values
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>        $first <span style=color:#f92672>=</span> <span style=color:#a6e22e>mysql_result</span>( $result, $i, <span style=color:#e6db74>&#34;first_name&#34;</span> );
</span></span><span style=display:flex><span>        $last  <span style=color:#f92672>=</span> <span style=color:#a6e22e>mysql_result</span>( $result, $i, <span style=color:#e6db74>&#34;last_name&#34;</span> );
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>        <span style=color:#75715e>// Feedback for end user
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>        <span style=color:#66d9ef>echo</span> <span style=color:#e6db74>&#34;&lt;pre&gt;ID: </span><span style=color:#e6db74>{</span>$id<span style=color:#e6db74>}</span><span style=color:#e6db74>&lt;br /&gt;First name: </span><span style=color:#e6db74>{</span>$first<span style=color:#e6db74>}</span><span style=color:#e6db74>&lt;br /&gt;Surname: </span><span style=color:#e6db74>{</span>$last<span style=color:#e6db74>}</span><span style=color:#e6db74>&lt;/pre&gt;&#34;</span>;
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>        <span style=color:#75715e>// Increase loop count
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>        $i<span style=color:#f92672>++</span>;
</span></span><span style=display:flex><span>    }
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>    <span style=color:#a6e22e>mysql_close</span>();
</span></span><span style=display:flex><span>}
</span></span></code></pre></div><h3 id=impossible>impossible</h3><div class=highlight><pre tabindex=0 style=color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-PHP data-lang=PHP><span style=display:flex><span><span style=color:#66d9ef>if</span>( <span style=color:#a6e22e>isset</span>( $_GET[ <span style=color:#e6db74>&#39;Submit&#39;</span> ] ) ) {
</span></span><span style=display:flex><span>    <span style=color:#75715e>// Check Anti-CSRF token
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    <span style=color:#a6e22e>checkToken</span>( $_REQUEST[ <span style=color:#e6db74>&#39;user_token&#39;</span> ], $_SESSION[ <span style=color:#e6db74>&#39;session_token&#39;</span> ], <span style=color:#e6db74>&#39;index.php&#39;</span> );
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>    <span style=color:#75715e>// Get input
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    $id <span style=color:#f92672>=</span> $_GET[ <span style=color:#e6db74>&#39;id&#39;</span> ];
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>    <span style=color:#75715e>// Was a number entered?
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>    <span style=color:#66d9ef>if</span>(<span style=color:#a6e22e>is_numeric</span>( $id )) {
</span></span><span style=display:flex><span>        <span style=color:#75715e>// Check the database
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>        <span style=color:#75715e>// 这是！PDO!
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>        <span style=color:#75715e>// PDO 是一种PHP中比较先进的面向对象形式的数据库访问技术
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>        <span style=color:#75715e>// 不过即使是面向对象它还是事务脚本形式的。
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>        <span style=color:#75715e>// 提供了防SQL注入的功能。
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>        $data <span style=color:#f92672>=</span> $db<span style=color:#f92672>-&gt;</span><span style=color:#a6e22e>prepare</span>( <span style=color:#e6db74>&#39;SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;&#39;</span> );
</span></span><span style=display:flex><span>        <span style=color:#75715e>// 无法注入
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>
</span></span><span style=display:flex><span>        $data<span style=color:#f92672>-&gt;</span><span style=color:#a6e22e>bindParam</span>( <span style=color:#e6db74>&#39;:id&#39;</span>, $id, <span style=color:#a6e22e>PDO</span><span style=color:#f92672>::</span><span style=color:#a6e22e>PARAM_INT</span> );
</span></span><span style=display:flex><span>        $data<span style=color:#f92672>-&gt;</span><span style=color:#a6e22e>execute</span>();
</span></span><span style=display:flex><span>        $row <span style=color:#f92672>=</span> $data<span style=color:#f92672>-&gt;</span><span style=color:#a6e22e>fetch</span>();
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>        <span style=color:#75715e>// Make sure only 1 result is returned
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>        <span style=color:#66d9ef>if</span>( $data<span style=color:#f92672>-&gt;</span><span style=color:#a6e22e>rowCount</span>() <span style=color:#f92672>==</span> <span style=color:#ae81ff>1</span> ) {
</span></span><span style=display:flex><span>            <span style=color:#75715e>// Get values
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>            $first <span style=color:#f92672>=</span> $row[ <span style=color:#e6db74>&#39;first_name&#39;</span> ];
</span></span><span style=display:flex><span>            $last  <span style=color:#f92672>=</span> $row[ <span style=color:#e6db74>&#39;last_name&#39;</span> ];
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>            <span style=color:#75715e>// Feedback for end user
</span></span></span><span style=display:flex><span><span style=color:#75715e></span>            <span style=color:#66d9ef>echo</span> <span style=color:#e6db74>&#34;&lt;pre&gt;ID: </span><span style=color:#e6db74>{</span>$id<span style=color:#e6db74>}</span><span style=color:#e6db74>&lt;br /&gt;First name: </span><span style=color:#e6db74>{</span>$first<span style=color:#e6db74>}</span><span style=color:#e6db74>&lt;br /&gt;Surname: </span><span style=color:#e6db74>{</span>$last<span style=color:#e6db74>}</span><span style=color:#e6db74>&lt;/pre&gt;&#34;</span>;
</span></span><span style=display:flex><span>        }
</span></span><span style=display:flex><span>    }
</span></span><span style=display:flex><span>}
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span><span style=color:#75715e>// Generate Anti-CSRF tsoken
</span></span></span><span style=display:flex><span><span style=color:#75715e></span><span style=color:#a6e22e>generateSessionToken</span>();
</span></span></code></pre></div><h2 id=extension>Extension</h2><p><strong>二次注入:</strong></p><p>网站有管理员<code>admin</code>.</p><p>一位恶意用户注册了<code>admin'#</code>用户.</p><p>恶意用户更新了自己的密码.</p><p>更新SQL:</p><blockquote>
<p>update from users
set password = &lsquo;$password&rsquo;
where
username = &lsquo;$username&rsquo; and password &lsquo;$password&rsquo;</p></blockquote><p>替换为恶意用户写入的数据:</p><blockquote>
<p>update from users
set password = #{password}
where
username = &lsquo;admin&rsquo;#&rsquo; and password = &lsquo;$password&rsquo;</p></blockquote><p>注意<code>#</code> 后面的语句被注释掉了, 所以真正被执行的只有.</p><blockquote>
<p>update from users
set password = #{password}
where
username = &lsquo;admin&rsquo;</p></blockquote><p>恶意用户可以无视管理员<code>admin</code>的密码验证，直接修改密码。</p></section><footer class=article-footer>
<section class=article-tags>
<a href=/tags/penetration-test/>penetration test</a>
</section><section class=article-lastmod><svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-clock" width="24" height="24" viewBox="0 0 24 24" stroke-width="2" stroke="currentcolor" fill="none" stroke-linecap="round" stroke-linejoin="round"><path stroke="none" d="M0 0h24v24H0z"/><circle cx="12" cy="12" r="9"/><polyline points="12 7 12 12 15 15"/></svg>
<span>
Last updated on Sep 24, 2020 18:06 CST
</span>
</section></footer></article><div id=gitalk-container></div><link rel=stylesheet href=https://cdn.jsdelivr.net/npm/gitalk@1.7.2/dist/gitalk.css>
<script src=https://cdn.jsdelivr.net/npm/gitalk@1.7.2/dist/gitalk.min.js></script>
<script src=https://cdn.jsdelivr.net/npm/blueimp-md5@2.18.0/js/md5.min.js></script>
<script>const gitalk=new Gitalk({clientID:"97eb9ce8ac126f0c7833",clientSecret:"5da440441b500b0b016928640712a1b1a03a5f8f",repo:"sdttttt/sdttttt.github.io",owner:"sdttttt",admin:["sdttttt"],distractionFreeMode:!1,id:md5(location.pathname)});(function(){if(["localhost","127.0.0.1"].indexOf(window.location.hostname)!=-1){document.getElementById("gitalk-container").innerHTML="Gitalk comments not available by default when the website is previewed locally.";return}gitalk.render("gitalk-container")})()</script>
<footer class=site-footer>
<section class=copyright>
&copy;
2022 SDTTTTT
</section><section class=powerby>
Built with <a href=https://gohugo.io/ target=_blank rel=noopener>Hugo</a> <br>
Theme <b><a href=https://github.com/CaiJimmy/hugo-theme-stack target=_blank rel=noopener data-version=3.10.0>Stack</a></b> designed by <a href=https://jimmycai.com target=_blank rel=noopener>Jimmy</a>
</section></footer><div class=pswp tabindex=-1 role=dialog aria-hidden=true>
<div class=pswp__bg></div><div class=pswp__scroll-wrap>
<div class=pswp__container>
<div class=pswp__item></div><div class=pswp__item></div><div class=pswp__item></div></div><div class="pswp__ui pswp__ui--hidden">
<div class=pswp__top-bar>
<div class=pswp__counter></div><button class="pswp__button pswp__button--close" title="Close (Esc)"></button>
<button class="pswp__button pswp__button--share" title=Share></button>
<button class="pswp__button pswp__button--fs" title="Toggle fullscreen"></button>
<button class="pswp__button pswp__button--zoom" title="Zoom in/out"></button>
<div class=pswp__preloader>
<div class=pswp__preloader__icn>
<div class=pswp__preloader__cut>
<div class=pswp__preloader__donut></div></div></div></div></div><div class="pswp__share-modal pswp__share-modal--hidden pswp__single-tap">
<div class=pswp__share-tooltip></div></div><button class="pswp__button pswp__button--arrow--left" title="Previous (arrow left)">
</button>
<button class="pswp__button pswp__button--arrow--right" title="Next (arrow right)">
</button>
<div class=pswp__caption>
<div class=pswp__caption__center></div></div></div></div></div><script src=https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe.min.js integrity="sha256-ePwmChbbvXbsO02lbM3HoHbSHTHFAeChekF1xKJdleo=" crossorigin=anonymous defer></script><script src=https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe-ui-default.min.js integrity="sha256-UKkzOn/w1mBxRmLLGrSeyB4e1xbrp4xylgAWb3M42pU=" crossorigin=anonymous defer></script><link rel=stylesheet href=https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/default-skin/default-skin.css integrity="sha256-c0uckgykQ9v5k+IqViZOZKc47Jn7KQil4/MP3ySA3F8=" crossorigin=anonymous><link rel=stylesheet href=https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe.css integrity="sha256-SBLU4vv6CA6lHsZ1XyTdhyjJxCjPif/TRkjnsyGAGnE=" crossorigin=anonymous>
</main></div><script src=https://cdn.jsdelivr.net/npm/node-vibrant@3.1.5/dist/vibrant.min.js integrity="sha256-5NovOZc4iwiAWTYIFiIM7DxKUXKWvpVEuMEPLzcm5/g=" crossorigin=anonymous></script><script type=text/javascript src=/ts/main.js defer></script>
<script>(function(){const e=document.createElement("link");e.href="https://fonts.googleapis.com/css2?family=Lato:wght@300;400;700&display=swap",e.type="text/css",e.rel="stylesheet",document.head.appendChild(e)})()</script>
</body></html>